FDA calls for hospitals to discontinue use of infusion pumps due to security vulnerabilities

Hospital systems that use Hospira Symbiq Infusion Systems should transition to a different infusion system "as soon as possible" due to cybersecurity concerns with the Hospira model, according to the U.S. Food and Drug Administration.

The FDA had warned of security problems with the pumps back in May, and at that time had released recommendations for health systems using the pumps to undertake. Now the agency is taking it a step further, asking that hospitals discontinue use of the pumps altogether.

The pumps have vulnerabilities that could allow unauthorized users to gain access to the devices and modify the doses they deliver, the FDA and an independent investigator found.

The Hospira pumps are not currently on the market due to issues unrelated to the security vulnerabilities, according to the FDA.

For hospitals still using the pumps and looking to move to a new system, the FDA suggests:

  • Providers disconnect the affected product from their network, which will require drug libraries to be updated manually
  • Ensure unused ports are closed
  • Monitor and log all network traffic attempting to reach the affected product through any of the ports

Hospira's infusion pumps have been under fire for cybersecurity flaws since 2014, when the U.S. Department of Homeland Security conducted an investigation into medical devices and hospital equipment. DHS expressed concerns that the tools could be activated remotely, and at the time said it was working with manufacturers to identify and repair software bugs and vulnerabilities.

To that end, the security of such devices has been criticized at length in the industry, with many saying that security must be baked into devices from the start and not tacked on at the end of the process, FierceHealthIT has previously reported.

To learn more:
- here's the FDA announcement